Malaysia investigating reported leak of 46 million
mobile users data
Send a link to a friend
[November 01, 2017]
By Rozanna Latiff and Jeremy Wagstaff
KUALA LUMPUR/SINGAPORE (Reuters) - Malaysia
is investigating an alleged attempt to sell the data of more than 46
million mobile phone subscribers online, in what appears to be one of
the largest leaks of customer data in Asia.
The massive data breach, believed to affect almost the entire population
of Malaysia, was first reported last month by Lowyat.net, a local
technology news website. The website said it had received a tip-off that
someone was trying to sell huge databases of personal information on its
The country's internet regulator, the Malaysian Communications and
Multimedia Commission (MCMC), was looking into the matter with the
police, Communications and Multimedia Minister Salleh Said Keruak said
"We have identified several potential sources of the leak and we should
be able to complete the probe soon," Salleh told reporters at
The leaked data included lists of mobile phone numbers, identification
card numbers, home addresses, and SIM card data of 46.2 million
customers from at least 12 Malaysian mobile phone and mobile virtual
network operators (MVNO).
Cybersecurity researchers said the leaked data was extensive enough to
allow criminals to create fraudulent identities to make online
Justin Lie, CEO of Cashshield, a Singapore-based anti-fraud company,
compared the Malaysian case in its "degree of complexity" to the cyber
attack on U.S. credit-scoring agency Equifax Inc, which said in
September that cyber criminals had stolen sensitive information from
145.5 million people.
"Now these hackers have more quality information such as birth dates, IC
numbers, mobile numbers, email address and passwords," Lie said about
the Malaysian attack.
Customers of Malaysia's biggest mobile service providers, including
Maxis <MXSC.KL>, Axiata Group's Celcom <AXIA.KL> and DiGi <DSOM.KL>,
among others, were affected.
MCMC's chief operating officer Mazlan Ismail said on Tuesday the
regulator had met with local telecommunications companies to seek their
cooperation in the probe, according to state news agency Bernama.
[to top of second column]
An illustration picture
shows a network cable next to a pack of smartphones in Berlin, June
7, 2013. REUTERS/Pawel Kopczynski
Celcom and Maxis said in separate statements they were cooperating with
authorities on the investigation. DiGi did not respond to requests for
"ALMOST EVERY MALAYSIAN"
According to a Singapore-based cybersecurity researcher, the leaked
database was initially being sold on several underground forums for 1
bitcoin, which was trading on Wednesday at around $6,500. At least one
other user was posting a link for anyone to download for free.
The researcher, who declined to be named, said he had seen at least 10
people on an online forum in the "dark web" download the data before it
was taken offline.
"Discussion in the dark web shows a huge interest," he said.
Time stamps indicate the leaked data was last updated between May and
July 2014, Lowyat.net said.
"We are urging the telco and MVNO companies mentioned above to alert,
and start immediately replacing the SIM cards, of all affected
customers, especially those who have not updated their SIM cards since
2014," Lowyat.net said in a post.
Malaysia's population is just around 32 million, but many have several
mobile numbers. The lists are also believed to include inactive numbers
and temporary ones bought by visiting foreigners, The Star newspaper
Bryce Boland, FireEye's chief technology officer in Asia Pacific, said
if the data was widely available as suspected, it could be used for
identity fraud and scams.
"This stolen data may ultimately impact almost every Malaysian," he
The data also includes private information of more than 80,000
individuals leaked from the records of the Malaysian Medical Council,
the Malaysian Medical Association, and the Malaysian Dental Association,
(Additional reporting by Joseph Sipalan; writing by Praveen Menon;
Editing by Bill Tarrant)
[© 2017 Thomson Reuters. All rights
Copyright 2017 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.